Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2020

How to remove Black Claw ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Ugnius Kiguolis · The mastermind

Black Claw ransomware is encryption-based malware that locks personal and some system files for blackmailing victims

Black Claw ransomware

Black Claw ransomware, otherwise known as BlackClaw or .bclaw file extension virus, is one of the latest crypto-malware revealed ar the end of May 2020. First spotted by a ransomware researcher Amigo-A[1] it turns out as a separate ransomware variant geologically not bound to any of previously known viruses of its type. According to the researcher, it uses a combination of AES and RSA encryption algorithms to lock data on a host machine. A successful encryption process is followed by a ransom note RECOVER YOUR FILES.hta, which commands victims to email criminals via bclaw@hitler.rocks email address or T.me\B_Claw telegram. 

The main distinctive marker of this ransomware is the .bclaw file extension, which appears as a suffix of each video, photo, Microsoft Office document, file archive, etc. encrypted. Typically, the extension is preceded either by the ID number, which can also be seen on the ransom note or ten randomly generated lower case letters in square brackets. Unfortunately, there is no Black Claw decryption software for unlocking files for free. 

Victims of the bclaw file virus have two options, i.e. they can either contact criminals within 48 hours and pay the ransom after negotiations or run a full system scan after that attack while Windows is in Safe Mode[2] and remove all malicious entries that belong to this ransomware. We strongly advise victims not to pay the ransom because messing up with criminals can lead to privacy violations. Besides, no one can guarantee that crooks will send you a functional Black Claw decryption key. 

Name Black Claw
Also known as BlackClaw or .bclaw file extension virus
Geneology This ransomware is not attributed to any ransomware family. It's a standalone encryption-based ransomware
Detection date The virus has been spotted by ransomware researcher on May 26, 2020
File marker .[].bclaw  or .[XXXXXXXXXX].bclaw
The XXX part typically consists of 10 random lower letters
Ransom note RECOVER YOUR FILES.hta
Encryption model Combination of AES and RSA ciphers
Contacts  bclaw@hitler.rocks Telegram: T.me\B_Claw
Symptoms Personal files cannot be opened because of a malicious file extension appended to each of them. Ransom note file created in every folder that contains encrypted data. Systems performance is slower than it used to be. The system restarts randomly, etc.
Danger The ransomware encrypts personal data and not paying the ransom can lead to permanent data loss. Besides, this virus initiates aggressive changes within the Windows registry, startup processes, and other components, thus diminishing the system's vulnerability. The ransomware can download other malicious programs, such as Remcos trojan or NjRat.
Elimination It is not possible to remove bclaw file virus without a professional anti-malware suit. Manually identifying malicious encryption-based files is not possible even for IT-savvy people. 
Data recovery No free encryption software is available for now. However, upon ransomware removal, you can try using alternative third-party data recovery tools. A full guide on how to recover encrypted files is provided at the end of this article. 
System recovery Take advantage of the FortectIntego repair utility to restore damaged Windows registry entries, removed system files, or disabled core processes.

 

BlackClaw ransomware virus is not reminiscent of any viruses of its type. Starting from the extension and ending with the design of the ransom note. However, just like other crypt-viruses, for example, the infamous Djvu, Phobos, RagnarLocker, Zeronine, and others, it exhibits similar traits: 

  • spreads via trojans, open RDPs, malicious spam email attachments, etc.
  • initiates multiple system's changes in the background before encrypting files;
  • uses a popular encryption model (combines AES and RSA);
  • generates a .hta file as a ransom note;
  • demands victims to contact and pay the redemption;
  • disguises malicious processes to increase prevalence;
  • removes Volume Shadow Copies of encrypted files, etc. 

It's extremely important to remove BlackClaw ransomware virus from the system as soon as its marker is noticed on files. In many cases, this type of virus carries additional virus payloads. Consequently, the longer you keep this virus installed, the higher is the risk of getting infected with malicious spyware or RAT. 

Right after installing the bclaw virus file marker is not immediately disclosed. The virus is initiating a multiplicity of changes within Windows registries, injects malicious files on Desktop, User_folders, and % TEMP% directories. This way it ensures itself a smooth load among Windows boot.

Upon successful unravel, the Black Claw file-encrypting virus launches its encryption scanner and adds the file marker to each encrypted file. Consequently, the victim can no longer open or modify the files that belong to him or her. At this point, criminals shatter the victim's confinement by presenting a RECOVER YOUR FILES.hta ransom file.

The criminals behind .bclaw file extension virus demand their victims not to exceed time limit, which is 48 hours for establishing contact. Otherwise, the ransom size (not specified yet) gets doubled. The email address provided for info is bclaw@hitler.rocks, though alternatively, people can contact crooks via the Telegram account T.me \ B_Claw. The original text on the ransom note says: 

All your files have been encrypted!

All your files have been encrypted (WITH AES+RSA) due to a security problem with your PC. If you want to restore them, write us an email and attach one of encrypted
files(less than 1mb): bclaw@hitler.rocks
or send a message to our telegram account: T.me\B_Claw

in case of no anwser in 2 hours contact with us throught Telegram account T.me\B_Claw

Include this id in your message or email:

YOU HAVE ONLY 48 HOURS TO CONTACT US. WHEN THIS TIME ENDS THE PRICE WILL BE TWICE AS MUCH

# Free decryption as guarantee

Before paying you can send up to 1 file for free decryption.

# How to obtain Bitcoin

The easiest way to buy Bitcoin in Localbitcoins.com website.
https://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginner guide here:
https://www.coindesk.com/learn/bitcoin-101/how-can-i-buy-bitcoins

# ATTENTION !!!

DO NOT RENAME THE FILES.

BLACK CLAW RANSOMWARE

Do not fall for intimidations that the ransomware will permanently delete bclaw virus files if you attempt to rename them or use security software. That's usually a scare tactic that criminals use to increase the prevalence of the virus and restrict people from using AV tools. 

BlackClaw malware

If you have been attacked by this malicious virus, we strongly recommend you to restart the system into Safe Mode (a guide below the article explains how to to that) and run a scan with a reputable anti-virus to remove Black Claw virus from your machine. To ensure the elimination of each malicious entry that belongs to this threat, use tools like MalwarebytesMalwarebytes or SpyHunterCombo Cleaner.

BlackClaw ransomware infection can be devastating for the overall system's performance. The compromised files and processes can severely diminish its performance and, thus one the backdoor for subsequent infections. To revert the damage that the bclaw file virus triggered, use recovery software to scan the system after virus elimination. 

Keep the system protected while the exact itinerary of the ransomware is unknown

It would not be correct to say that ransomware distribution methods are not known. As for this particular ransomware virus, it's not yet clear what methods its developers use for the dissemination. Therefore, as long as researchers are working to find out how it spreads, what are its potentials, and how to decrypt its files, we recommend arming the machine with all possible security tools, including antivirus solution (full pack), enable reliable ad-blocker, and use real-time protection for scanning email attachments. 

There are loads of methods that hackers take advantage of to find security loopholes on the targeted machines. Although the methods are more or less similar for all malware, ransomware developers use more aggressive scripting and exploit to short-circuit machine's protection. The following ways of encryption-based malware distribution techniques are the most common:

  • Malicious email spam attachments. According to IBM[3], 59 percent of ransomware infects PC via obfuscated ZIP, PDW, EXE, and similar files that render Macros.
  • Malvertising. Hackers find ways to abuse legal channels of the ads injecting malicious codes inside popups and banners positioned on shady websites. 
  • Exploit kits. Exploit kits, such as Rig exploit kit allow criminals to gain full control over the host machine without its owner's knowledge and subsequently initiate malicious redirects to malicious servers. 
  • Torrenting websites. The content shared on peer-to-peer networks is not controlled by anyone. Thus, hackers can impersonate regular users and distribute files, such as software cracks or keygens with an additional ransomware payload. 

Black Claw encryption-based virus

Learn how to remove Black Claw ransomware in the right way

Usually, people get shocked after finding the .bclaw file extension virus on their data. Not only files get compromised but the entire system may run in an abnormal way. Not to mention a threatening ransom note that shouts out loud “pay me the money.” However, security experts from dieviren.de[4] recommend people to calm down and do not rush paying the ransom. 

The best solution in this unpleasant situation is a full bclaw file virus removal. Before that, use a USB flash drive to copy all affected files to prevent permanent file loss. After that restart Windows in Safe Mode with Networking as explained below then run a thorough scan with an antivirus tool that you have on your machine. If you don't have one, we recommend downloading SpyHunterCombo Cleaner or MalwarebytesMalwarebytes tools as they are great programs for eliminating malware and protecting the machine for subsequent cyber-attacks. 

Note that manual Black Claw ransomware removal is not possible under any circumstances. This pest roots deeply into the operating system and can misuse legitimate processes to disguise its own malicious procedures. Thus, the only way to repair your machine is to use an automated security program for ransomware elimination and then recover it to the previous state with the help of FortectIntego repair solution.   

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.